Silk Road forums
Discussion => Security => Topic started by: abby on July 16, 2013, 11:48 pm
-
This appears to be kiddy porn rather than drugs but I think it might be worth reviewing your security set up if there's any chance your encrypted drives can be found.
http://www.guardian.co.uk/uk/2010/oct/05/password-computer-teenager
"A teenager has been jailed for four months for refusing to give police the password to his computer.Oliver Drage, 19, of Freckleton, Lancs, had originally been arrested in May last year by a team of officers from Blackpool tackling child sexual exploitation. His computer was seized but officers could not access material stored on it as it was protected by a sophisticated 50-character encryption password.
Drage, who worked in a fast food shop, was then formally requested to disclose the password but failed to do so. He was convicted after a trial last month of failing to disclose an encryption key, an offence covered by the Regulation of Investigatory Powers Act 2000.
Yesterday at Preston crown court he was sentenced to 16 weeks in a young offenders institution.
Det Sergeant Neil Fowler, of Lancashire Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime (http://www.guardian.co.uk/uk/ukcrime).
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
Police are still trying to crack the code on Drage's computer to find out its contents."
-
damn this is really fucking stupid. What if you forgot your password? this shit needs to be overturned. I need to find a linux full disk encryption that I can setup with plausible deniability thats not truecrypt.
-
16 weeks beats 10-20 years and lifetime registration as a sex offender.
-
Seems like a good technique is using a remote server in a country like Russia, with SSHFS over Tor, and a virtual machine. All of the files are stored remotely but you have access to them as if they were on your actual machine, plus they are encrypted on the remote server, plus you cannot be linked to the remote server. Persistence and nothing for the piggies to demand you decrypt, unless of course they trace your connection to the remote server and get the Russians to demand that you cooperate (which in this case they wouldn't do, since CP is totally legal to possess in Russia anyway). I wonder if the pigs in the UK think that they can demand you to decrypt a filesystem in Russia.
-
Damn, that's fucked up. The Regulation of Investigatory Powers Act of 2000? How about the Bend Over And Take It Up the Rear Police State Act of 2000.
>:(
-
That's quite a sad story. I'm ashamed for the judge who actually sentenced the kid.
-
16 weeks beats 10-20 years and lifetime registration as a sex offender.
That's quite a sad story. I'm ashamed for the judge who actually sentenced the kid.
This is disgusting. I'm glad my country can't compel people to reveal passwords. How could any decent, sane person think giving LE this much power is a good thing?
-
Make sure you set up both inner and outer volumes for your trucrypt and have something innocuous saved in the outer so you can give up a password if pressed to avoid this kind of bullshit.
-
I wonder, did this kid outright refuse to give his password, or did they demonstrate through data, router logs or info from the isp showing mac address or internal logs accessed forensically, that he'd been using the pc recently? Either way, crazy shit if they didn't have any real evidence of a crime, and were simply demanding access to phish for evidence in hope. Because, he obviously hasn't been charged with the crime he was suspected of :( AB.
-
UK uses this threat a lot now, the maximum is 6 months for withholding passwords but then after that they can give you another 6 if you still refuse to hand over the info.
-
Not one of you guys has noticed when that article was from...Hmmmm 3and a half years ago....I wonder are they still trying to crack it.
-
Welcome to the UK, the country where we fought and died for freedom, and then just 3 generations later when people our age haven't had to fight for shit in their lives, let alone their freedom, we stand by idly whilst our government takes us for fools.
-
Well this rule they also got in The Netherlands . there was an article about it today.
that its against human rights .
Here in The Netherlands they can a just this rule if you are a pedofile or terrorist . but i dont for other crimes on the net.
if you dont give the password you get 3years in jail.
-
Hopefully in the USA this makes it to the supreme court soon so that it can be ruled as unconstitutional. At least we would hope it is ruled unconstitutional, but the government has all kinds of arguments as to why it is perfectly fine to demand people incriminate themselves. The thing about the USA is that on paper it is completely different than it is in practice, but politicians talk about it like it is on paper and then disregard it in practice.
There are several possible technical countermeasures to this sort of attack. The first is deniable encryption, although I believe that operating system leaks and such can still give fornesic analysts the ability to determine that there is a hidden volume present. There is also the risk that they will simply demand you to decrypt a hidden volume as well, on the assumption that anybody who uses programs that support hidden volumes must have a hidden volume. Essentially a lot of people are worried that this is going to turn into "Incriminate yourself and go to prison or go to prison for not incriminating yourself", even in cases where people really don't have any incriminating files, because they don't have hidden volumes but are demanded to decrypt something into the illegal things the police claim that they have. Another option is to use offshore servers with encryption as well of course (never storing plaintext on the server), I am not positive but I think that maybe the police in UK or NL cannot demand you to decrypt a hard drive that is in a different country. The best option of all is to never get to the step where they demand you to decrypt your files, taking measures against traffic analysis should prevent them from ever determining who you are in the first place. Encryption of persistent storage has always been a back up plan in case measures against traffic analysis fail, if you protect from traffic analysis and hacking then your encrypted persistent storage will probably never be put to the test.
-
Hi, could you please go into a little more detail on what you mean about taking measures to protect against traffic analysis. What kinds of preventive measures would you recommend one researched and attempted to implement? Thanks, AB.
-
UK uses this threat a lot now, the maximum is 6 months for withholding passwords but then after that they can give you another 6 if you still refuse to hand over the info.
I know several people who work in IT and the phenomenon of people forgetting their passwords is ridiculously common, how the fuck can they send you to prison for not handing over something you genuinely may not be able to provide is astounding. The burden of responsibility to prove guilt should reside with those trying to prosecute, if we have reached a point where people are put in situations where they either have to incriminate themselves or go to prison the laughably named justice system has lost any semblance of credibility.
-
Investigations like this generally consist of three distinct phases.
Phase One: Traffic Analysis reveals the location of a suspect
This is usually because the suspect did not use any anonymity measures, so their IP address was logged by some LE fuckwad. The IP address by itself is not enough to get a conviction because results from traffic analysis can be misleading, but in most cases the results do point to the correct suspect. An example of when the results are misleading would be if the previously mentioned LE fuckwad logs an IP address of an open wireless access point that was used by the real target, or if they log the IP address of a proxy exit node that was used by the real target, etc. The results from traffic analysis are used to get an initial search warrant for the home of the owner of the identified IP address, as well as warrants to confiscate the computer equipment at the identified home so that they can be subjected to computer forensics. A counter measure against traffic analysis is the use of Tor. There are several techniques used though, some people use Tor, Freenet or I2P, others use http proxies, others use paid VPN services, others use Botnets, others use open WiFi access points, some people hack into the servers they access and actually delete log files, etc. Generally people consider Tor, Freenet and I2P to be the best measures for protecting from traffic analysis, VPN services are hit or miss but more often than not the VPN will only provide temporary and limited protection from an attacker, same for open proxies for the most part. Botnets are actually considered as one of the most secure ways of protecting from traffic analysis, I have even heard the Tor developers say that somebody with a botnet bigger than Tor can have protection greater than Tor can provide, so having a really big Botnet is probably your best bet for maintaining anonymity, with Tor, I2P, and Freenet coming in close second.
Phase Two: Field agents raid the suspect and seize computers
After identifying a suspect IP address and determining the person it is associated with, the police get a warrant and carry out a raid of the suspect. This doesn't happen in all cases though due to the limited resources of the police, in fact only a small minority of IP addresses identified as engaging in illegal activity are ever followed up on, generally sorted by the severity of the crime (ie: the more they want you the more likely they are to spend their limited resources actually raiding you etc). One of the reasons that they want to force ISPs to store logs of which customer is assigned which IP address at what time is because sometimes by the time they work through their list of identified suspect IP addresses to a certain target, they can no longer associate the IP address with a subscribers account because the ISP no longer has logs. Anyway, the way a raid is carried out will differ based upon the skill level of the raiding police as well as their own analysis of the level of security they expect you to be utilizing. If the police raiding you are not skilled they will likely simply kick your door down or knock on your door, arrest you, unplug your computers and send them to a forensics lab. If the police raiding you are skilled enough, and they think that you are using encryption, they will very likely try to obtain your computers while they are still booted up and then try to obtain the encryption keys from RAM prior to sending them to a forensics lab. There are techniques you can use to protect yourself from field agents obtaining your encryption keys during a raid, some people have hotkeys that instantly wipe encryption keys and power off the machine after they are hit, some people even make deadman switches that will wipe encryption keys and power off the machine if they do not have pressure applied to them (ie: you sit on it, and if the police tackle you to the ground your encryption keys are instantly wiped and your system shuts down), I have heard of people monitoring entrance points to their homes with CCTV cameras, and there are also technical solutions that can be attempted such as using Tresor to store encryption keys in CPU registers instead of in RAM.
Phase Three: Forensic technicians analyze the seized computer attempting to gather evidence
Depending on the type of investigation this step may play a critical role. In the case of drug trafficking investigations a forensic analysis of the seized computer will likely not be crucial to obtaining a conviction, the drug trafficker will likely be caught with drugs during Phase Two, or following Phase One they will be put under surveillance during which they are observed obtaining and/or sending out drugs. In a drug trafficking investigation the forensic analysis will largely be in an attempt to find addresses or names or phone numbers of contacts/customers, possibly chat logs between the vendor and his customers/supplier, and perhaps evidence of ties to a ring or similar. On the other hand, in hacking or especially CP investigations, Phase Three is often critical to secure a conviction, unless Phase Two field agents utilize techniques such as hardware keyloggers (overall rare but not unheard of and more common in bigger cases), hidden cameras (also rare), TEMPEST surveillance (I have only heard of this being used in espionage and terrorism related cases), etc, prior to a raid. In these cases I would say Phase Two has Part A and Part B, with Part A consisting of surveillance and Part B consisting of a raid. In most cases there is not a Part A, even if it would be beneficial to the investigation and to securing a conviction.
Anyway, the forensics technicians will look for incriminating evidence (perhaps look for the ONLY incriminating evidence, in the case of CP investigations), they will try to build a timeline of criminal events, they will try to tie the illegal activity to a single user of the physical computer, etc. In most cases, forensics technicians are nearly completely incapable of doing analysis on a machine that has its entire persistent storage drive encrypted. They may be able to tie the MAC address of a networking card to a session used for illegal activity on a open access point, or things like this, but 99% of what they do requires an unencrypted drive to analyze. FDE almost completely removes the ability for Phase Three to be carried out, unless the encryption can be broken or the password guessed. Since many investigations entirely rely on Phase Three to secure a conviction, FDE is a major hinderance to the governments ability to prosecute certain crimes.
Not everybody protects themselves from all steps of a computer based criminal investigation. I would say actually that the majority of people do nothing to protect themselves from traffic analysis, surveillance raids or forensic analysis. Of the people who do protect themselves somewhat, not all of them protect themselves adequately or completely. Some people will use a single hop http proxy as their only defensive technique, others will use FDE but they will not make any attempt to protect themselves from traffic analysis (likely the case in the investigation mentioned in the OP). The most secure people protect themselves from all phases of an investigation, often redundantly (Tor + Open WiFi, Tresor + Memory Wipe Hotkey, FDE + Truecrypt Containers).
Since each phase relies on the success of the previous phase in order for it to even be initiated, it is obvious that the most important thing to protect yourself from is traffic analysis. If the attacker can not identify who you are, they can not place you under surveillance, they cannot seize your computer and they can not have forensic technicians analyze your seized computer. If you put all of your eggs in one basket, it should definitely be the anonymity basket. On the other hand, some people put all of their eggs in the encryption basket, and this has generally worked out okay for them, depending on the country they are in. Some people in the USA have had CP charges dismissed because no CP could be recovered from their encrypted drives, on the other hand we have cases where they are held in contempt of court for refusing to reveal passwords. In countries like the UK the government has made laws saying that people must give up their passwords if ordered to do so by the police, and this is so that phase three can be completed in order to secure a conviction, but phase three is never reached in cases where phase one is never completed. Also, refusing to give up your password generally results in a much lesser sentence than you would receive if you do give up your password, most people would rather be held in contempt of court and jailed for a year than convicted of possession of CP and sent to prison for some decades and labeled as a sex offender for life.
Note that in more advanced investigations it might make more sense to break things apart into five distinct phases, or even to avoid a cookie cutter model like this, but in the majority of cases these are the phases that the investigation consists of.
-
Hopefully in the USA this makes it to the supreme court soon so that it can be ruled as unconstitutional. At least we would hope it is ruled unconstitutional, but the government has all kinds of arguments as to why it is perfectly fine to demand people incriminate themselves. The thing about the USA is that on paper it is completely different than it is in practice, but politicians talk about it like it is on paper and then disregard it in practice.
some links I found that relate to a US version of this. I couldn't find anything later than last year so I don't know what happened to this. I assume it was quietly forgotten since they got in without her help. (I suspect you may have already seen some but just in case..)
https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu) (https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu))
https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu) (https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu))
http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html) (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html))
and one more that briefly looks at both the US and UK http://nakedsecurity.sophos.com/2012/01/09/can-you-be-forced-by-law-to-decrypt-your-computer-us-v-fricosu-court-case-rages-on/
-
Investigations like this generally consist of three distinct phases.
Phase One: Traffic Analysis reveals the location of a suspect
Thank you mate, that's very very helpful! I'm not going to go into specifics on the forum, but there is definitely areas in there I need to learn more about :P Eliminate potential weaknesses, or at least have proven/creative processes to recognise and respond to threats before they become unmanageable. +1 AB
-
Hopefully in the USA this makes it to the supreme court soon so that it can be ruled as unconstitutional. At least we would hope it is ruled unconstitutional, but the government has all kinds of arguments as to why it is perfectly fine to demand people incriminate themselves. The thing about the USA is that on paper it is completely different than it is in practice, but politicians talk about it like it is on paper and then disregard it in practice.
some links I found that relate to a US version of this. I couldn't find anything later than last year so I don't know what happened to this. I assume it was quietly forgotten since they got in without her help. (I suspect you may have already seen some but just in case..)
https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu) (https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu))
https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu) (https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu))
http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html) (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html))
and one more that briefly looks at both the US and UK http://nakedsecurity.sophos.com/2012/01/09/can-you-be-forced-by-law-to-decrypt-your-computer-us-v-fricosu-court-case-rages-on/
In a more recent US case, the judge initially ordered the defendant to give up his password, then stayed his order to give the parties the opportunity to argue whether the password has 5th amendment protection. I don't think the judge has made a decision yet. Here's a post I made about this last month http://dkn255hz262ypmii.onion/index.php?topic=168349.msg1200065#msg1200065
In any case, the US federal courts are divided on whether passwords are protected by the 5th. This is surely a Supreme Court issue - I can't believe they haven't ruled on a case involving it yet.
-
Hopefully in the USA this makes it to the supreme court soon so that it can be ruled as unconstitutional. At least we would hope it is ruled unconstitutional, but the government has all kinds of arguments as to why it is perfectly fine to demand people incriminate themselves. The thing about the USA is that on paper it is completely different than it is in practice, but politicians talk about it like it is on paper and then disregard it in practice.
some links I found that relate to a US version of this. I couldn't find anything later than last year so I don't know what happened to this. I assume it was quietly forgotten since they got in without her help. (I suspect you may have already seen some but just in case..)
https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu) (https://www.eff.org/cases/us-v-fricosu (https://www.eff.org/cases/us-v-fricosu))
https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu) (https://en.wikipedia.org/wiki/United_States_v._Fricosu (https://en.wikipedia.org/wiki/United_States_v._Fricosu))
http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html) (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html (http://blogs.findlaw.com/tenth_circuit/2012/02/tenth-circuit-wont-protect-ramona-fricosus-password.html))
and one more that briefly looks at both the US and UK http://nakedsecurity.sophos.com/2012/01/09/can-you-be-forced-by-law-to-decrypt-your-computer-us-v-fricosu-court-case-rages-on/
In a more recent US case, the judge initially ordered the defendant to give up his password, then stayed his order to give the parties the opportunity to argue whether the password has 5th amendment protection. I don't think the judge has made a decision yet. Here's a post I made about this last month http://dkn255hz262ypmii.onion/index.php?topic=168349.msg1200065#msg1200065
In any case, the US federal courts are divided on whether passwords are protected by the 5th. This is surely a Supreme Court issue - I can't believe they haven't ruled on a case involving it yet.
oh it's coming here, I believe someone was held in contempt recently for refusing to give up his passphrase. the comment on the US by kmfkewm,
that on paper it is completely different than it is in practice, but politicians talk about it like it is on paper and then disregard it in practice.
is so very true and something many people gloss over. The "rules" do not apply. I once worked with a ret. NY Statetrooper who told me, "jason, do not ever befriend a cop, don't ever talk to a cop, if you are in a bar and one comes in, you leave, I learned the hard way what sadistic types Law Enforcement and "Corrections" attracts. Jay, it is not a case of one bad apple spoiling the bunch, the majority are either bad apples or turn a blind eye whivh makes them just as bad. Just learn something from my 30+ years of experience of dealing with these soul suckers and never go near them, and again never befriend them, THEY ARE NOT YOUR FRIENDS!" that was a long time ago and I never forgot it. This was a very kind , generous, elderly man who had no reason to lie to me or say what he said for any other reason than genuine concern. I was young and I think he recognised I was "the at risk type" at risk for the LAO. They don't enforce shit people, so calling them LEO's is too nice, they abuse the law day in and day out.
-
How could someone avoid this?
-
So, how gay are you?
-
So, how gay are you?
LOL